Lighthouse
Lighthouse is a China-based, financially motivated phishing-as-a-service (PhaaS) operation and criminal enterprise associated with large-scale global smishing campaigns. Google described it as a massive criminal group in China that sells easy-to-use phishing kits, including via Telegram, to enable other cybercriminals to run SMS phishing attacks. The operation has been described as affecting more than 1 million victims across 120 countries, with campaigns disproportionately targeting U.S. victims. Lighthouse is used to impersonate trusted brands and institutions, including USPS, E-ZPass and other toll systems, and Google-branded services, in order to steal payment card data, credentials, personal information, banking information, and in some reporting, MFA/2FA codes. Google identified at least 107 phishing website templates associated with the operation, including templates that illegally used Google branding; other reporting in the provided content cites at least 116 templates featuring Google logos such as YouTube, Gmail, Google, or Google Play. The kits were marketed as subscription-based offerings, with pricing reported from as low as $88 per week up to annual tiers, and were supported through Telegram channels with thousands of members. The content states Lighthouse provides phishing templates, domain setup tools, and infrastructure to customers, and that operators and users rapidly rotate domains to evade detection. Campaign delivery included smishing messages sent through channels such as iMessage and RCS, with phishing sites designed to harvest credit card numbers and other victim data. Google alleged the enterprise also used YouTube and Telegram for coordination, sales, and training before unlawful coordination on YouTube was disrupted. The provided content also links Lighthouse to the alias or prior branding Smishing Triad, with reporting that the group rebranded as Lighthouse in March 2025. Cisco Talos-linked reporting in the content associates the kits with a Chinese threat actor known as Wang Duo Yu, who allegedly sold and supported the kits via Telegram. The content also notes possible connections discussed by researchers between Lighthouse and similar Chinese-linked PhaaS ecosystems such as Lucid, but only Lighthouse, Smishing Triad, and Wang Duo Yu are directly mentioned in relation to this actor.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Massive China-based phishing-as-a-service platform whose operators were sued by Google after the service ensnared over 1 million users across 120 countries.
Lighthouse is a China-based phishing-as-a-service (PhaaS) operation that has impacted over 1 million users globally through large-scale phishing campaigns.
Lighthouse is a phishing-as-a-service operation used to send SMS phishing messages to steal payment card data from victims worldwide.
A China-based criminal phishing enterprise allegedly selling phishing kits and coordinating large-scale text phishing scams that impersonate US institutions and brands, primarily targeting Americans.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.